Wednesday, January 2, 2013

booter.tw - Goes by twBooter

Earlier today, the mark of the New Year, we were graced by the return of twBooter and Askaa. Why is he back though you may ask? Last we heard, he had taken off with everyone's money from twBooter, then created a very fake and very expensive Form Grabber, took pre-orders, then bailed with the money. Surely any scammer would know to stay away, just as any well knowing community would not accept such a scammer back. Good thing we're on HF, where normal is abnormal. Rather than banking on the cash he earned scamming HF, Askaa tried to return. First claiming he was arrested, which was proven false. He then tried to return through Orgy, using Orgy as his 'face' so he could work, and scam, behind the scenes. Once Orgy had enough dirty info on the kid, he turned on him, posted it, and drove Askaa away from HF. I guess over time people forgot about this, albeit only 6 months, and now we're here.

That being said, I suppose it is only fair that we take a look at things since Askaa's already claiming top dog.




Your average HF sales thread, flashy and only discusses what HF users understand, more than enough to bank off of us all. He however makes a lot of claims and makes up new words/methods to try to sound advanced. Can't wait until Enhanced Super Spoofed SYN Rampage Annihilator attacks come out. The more adjectives, the better the attack is, obviously. Also, does no one else get annoyed that he very clearly admits to his past scams, and to make you feel more secure he no longer offers lifetime accounts? "I know I scammed you guys for a lot, but look, now I can't scam for as much, I must be legit!" Moving on...


I guess I won't comment on the new and fully custom source, as I haven't seen the back end. But from the looks of things, they took Orgy's source, turned it green, and called it their own. Good work guys, that really shows your development. Claim custom source -> Use someone elses front end.

I'm really curious regarding these partnerships Askaa is claiming he has with his hosts. It's fair to point out that Askaa (The money) and DaL33t (The developer (how?)) are both underaged, and both foreigners. Do I even need to explain why no one is going to take them seriously? I'm not sure where he hosts his attack servers yet, but I've been paying attention to what he's been doing with his front end.


July 17th, 2012
Domain was Registered to the following contact
Domain Name: booter.tw
Registrant: Magnus Madsen 
Email: magnusden17@gmail.com
Phone: +45.27576800
Address:
      sønderstrede 36, 
      københavn v, Denmark
     

December 6th, 2012
Domain: booter.tw
NS1: ns1cmt.name.com
NS2: ns2clp.name.com
IP: 184.172.60.183    



December 23rd, 2012
Domain: booter.tw
NS1: dana.ns.cloudflare.com
NS2: noah.ns.cloudflare.com


January 2nd, 2013
ping-mail.booter.tw-199.195.251.148 - Awknet
ping-booter.tw- 199.27.134.63 - CloudFlare
ping-direct.booter.tw-67.215.65.132 - OpenDNS
ping-direct-connect.booter.tw-67.215.65.132 - OpenDNS
ping-ftp.booter.tw-67.215.65.132 - OpenDNS
ping-email.booter.tw-67.215.65.132 - OpenDNS


January 10th, 2013
mail.booter.tw - 108.162.194.85 - CloudFlare

 

Once his sales get going a bit, I'll grab an account and figure out who's hosting his attack servers.

Alright, like I said, I'd grab an account and figure out who's hosting their attack servers.

I purchased an account, the set up failed. Idk, just found his "That's a lie." statement humorous.

First thing I did was get a little PHP script written up that would not only log connecting IP's, but would unmask them for me if they were using a proxy of some sorts. I hopped on my newly created twBooter account, connected to my webserver, and launched a 300 second 'post flood' at a dummy webpage I created containing the IP logging script. The results are as follows: http://pastebin.com/ZJ7cHwyK
Basically what you see is a shit ton of proxies attempting to flood my site. Unmask these proxies, and they all lead back to the same IP: 67.222.156.241

 IP: 67.222.156.241
Loc: Dallas, Texas

They don't offer an easy way for me to contact them regarding abuse, so I'll look into them more a bit tomorrow.

--Important Update--

Got a tip from a friend to check out the IP: 72.9.154.18
They stated it would lead directly back to booter.tw, so we did some poking around:

IP: 72.9.154.18
Loc: Dallas, Texas

Seems like everything is tying back to Tailor Made Servers. To make sure, I contacted a friend of mine from an underground forum and had him run a 5 minute test DDOS attack on the IP. The results:


So looks like we knocked something offline on one of their back end servers. Shortly after, Incapsula DDOS protection kicked in, blocked any connecting IPs. Basically, we're going to need to write up reports to Tailor Made Servers, CloudFlare, and Incapsula at this point. If they refuse to handle it, we'll post the reports on WHT and other related forums.

Posted by BV1 at 5:46 PM

4 comments:

  1. AnonymousJanuary 5, 2013 at 10:28 PM

    I hope askaa gets butthurt so bad i hope yall take down his shit next its pretty fucked up what he did if i lived close to him id go knock on his door and kick his ass myself.

    ReplyDelete
  2. MissionTechJanuary 9, 2013 at 12:58 AM

    BV1 please contact me on skype mission.tech

    ReplyDelete
    Replies
    1. AnonymousJanuary 24, 2013 at 8:56 AM

      You are a skid, GTFO. Your downloading spartans API source and act like if you know shit on HF talking shit to spartan staff. I bet you don't even know what SSH2 stands for.

      Delete
  3. AnonymousJuly 3, 2013 at 10:51 AM

    hes scammer i open a ticket to buy more stress time but after i pay he removed my account fuck you booter.tw

    ReplyDelete

Subscribe to: Post Comments (Atom)